For years, playing Valorant or League of Legends involved a tacit understanding among most players that they never explicitly agreed to: in return for a good game, you would give Riot permission to run some software on your PC before even starting Windows, accessing parts of your PC that most software couldn’t reach. This is called Vanguard, and based on who you ask, this could be a necessity that needed to be done or an anti-cheat program in disguise. Riot has now confirmed that Vanguard won’t start itself automatically when the computer turns on anymore, but it’s essential to understand what has changed and what hasn’t, and why this issue was ever present at all.
Also read: After Apple, Microsoft raises Xbox prices: New console rates and effective date
Your operating system runs on levels. The first one is user mode, which includes your browser, game and most applications that you are consciously installing on your computer. Such programs are sandboxed to a certain extent, and they have access to whatever the operating system allows them to access. Beneath the user mode is the kernel, which is the operating system itself. Kernel has unlimited access to all hardware components, processes, and memory on your computer. In other words, kernel has full control of whatever is beneath it.
A kernel level driver runs in such an environment. It is neither besides your operating system, nor above it. Rather, it runs inside the operating system at the same privilege level as the latter does. By loading its driver, Vanguard has access to all system memory and hardware and can intercept communication between any hardware components and software. It is also the main reason why cheaters prefer kernel level drivers: once the code is loaded there, it becomes impossible to detect it in any way from the user level.
Riot’s argument for running at this level has always been straightforward and, to be fair, technically sound. If Vanguard only ran in user mode, a kernel-level cheat could simply blind it entirely. A cheat driver intercepts any request a user-mode anti-cheat makes to the kernel, rendering it useless. To fight fire with fire, Vanguard needs to be in the kernel too.
Also read: GTA 6: From price to editions and release date, all FAQs answered
The problem was never really that Vanguard does something during gameplay. The problem was that Vanguard had the potential to do anything, and at any time. Prior to this fix, Vanguard’s kernel driver would be initialized at bootup, which means it would be active from the moment you started up your computer until the moment you turned it off, even if you didn’t actually launch Valorant on that day.
This makes all the difference in the world. Having kernel level access to your computer isn’t the same thing as giving an application permission to access your microphone. A bug in Vanguard, an update that went wrong, or the possibility that its build pipeline was compromised made it potentially a very serious risk indeed, and one that players were being asked to grant permanently, on pain of losing access to the game.
The introduction of the new on-demand mode at Riot means that the kernel driver of Vanguard is loaded when you run a Riot game and unloads when you stop playing it. This is actually a huge concession. The biggest valid complaint – always-on kernel-level access by a game developer – is being tackled directly.
The process that enables this is the Runtime Driver Attestation Report of Microsoft available in Windows 11 25H2. It records every driver that gets loaded after booting your computer inside the Trusted Platform Module, which is the secure cryptoprocessor on your motherboard. This allows Vanguard to check all the programs that got loaded before Vanguard, even if it wasn’t running during that process. The reason for the always-on requirement is the famous “Who Loads First” problem; this takes care of it nicely.
But this is important. This mode is optional. The architecture of the kernel driver itself has not been changed. It continues to have the same level of access while active. And for those who don’t qualify – users who do not have TPM 2.0, Secure Boot, IOMMU, VBS, and HVCI all enabled on Windows 11 25H2 – everything stays the same. Riot estimates that number at around 65 percent of its player base. For everyone else, Vanguard will continue to launch at start-up.
This move is a reminder of just how much leverage the game companies wield in this area. The reason why Riot was able to dictate kernel access on an indefinite basis, from tens of millions of players, was simply because there was no alternative – not playing. And the dynamic has not changed. Riot has decided to provide a kill switch, and that is great. But this is a choice that was made by Riot on their own terms and on their own schedule – not out of necessity.
Also read: AI-generated games may arrive sooner than expected, says CD Projekt Red Co-CEO